If a site uses HTTP and not HTTPS, is it useful to include a Content Security Policy? Can an adversary not just remove it?
Asked
Active
Viewed 696 times
5
-
1This is basically saying that anything send over plain HTTP is not useful since an attacker can replace it. This is true for the whole request and response header and body. CSP is no exception here. – Steffen Ullrich Nov 23 '21 at 15:18
1 Answers
9
It depends on what the attacker is able to do.
As you know, it's possible for a HTTP request / response to be intercepted, and modified by an attacker. This attacker can then alter the response to remove the CSP.
But this requires the attacker to be able to intercept HTTP requests, which is, depending on the threat model, not the easiest attack vector to get.
Many attack vectors don't require intercepting the HTTP request at all, like clickjacking and XSS injections. CSP is still an effective defense against them.
Benoit Esnard
- 14,694
- 7
- 69
- 69